6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
Size

625KB
MD5

25e354ad22bb782db16fb9b9e7833d9a
SHA1

70c42b74d2103bdf8e98df392747f899b956ab45
SHA256

6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e
SHA512

8859a2960ca19b84eb69c85b7ac3f3e1ed4fa6802179a907a7189c55d69893e123204ed86f9c6357f9f64c52644fe266cfd6d89b80d38807258bb73e7110cec9
SSDEEP

12288:y2BIxn85c6S4Hb4849nIYVjIlCOU4hog96o2gZ:PB65gcTVjUCs2Vo2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 46 IoCs

pid	Process
476	Process not Found
2628	alg.exe
2564	aspnet_state.exe
2860	mscorsvw.exe
1888	mscorsvw.exe
1572	mscorsvw.exe
1672	mscorsvw.exe
1748	ehRecvr.exe
844	ehsched.exe
2764	mscorsvw.exe
620	mscorsvw.exe
2868	mscorsvw.exe
548	mscorsvw.exe
2160	mscorsvw.exe
900	mscorsvw.exe
2516	mscorsvw.exe
2524	mscorsvw.exe
112	mscorsvw.exe
2380	mscorsvw.exe
2304	mscorsvw.exe
1704	mscorsvw.exe
2100	elevation_service.exe
1144	IEEtwCollector.exe
1468	GROOVE.EXE
1328	maintenanceservice.exe
1260	msdtc.exe
2224	msiexec.exe
1836	OSE.EXE
3004	OSPPSVC.EXE
2552	perfhost.exe
2820	locator.exe
2416	snmptrap.exe
1692	vds.exe
2548	vssvc.exe
1368	wbengine.exe
2524	WmiApSrv.exe
2184	wmpnetwk.exe
808	SearchIndexer.exe
860	mscorsvw.exe
920	mscorsvw.exe
2744	mscorsvw.exe
1900	mscorsvw.exe
1904	dllhost.exe
1632	mscorsvw.exe
2300	mscorsvw.exe
292	mscorsvw.exe

Loads dropped DLL 15 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
2224	msiexec.exe
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
756	Process not Found
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\dllhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\msdtc.exe	aspnet_state.exe
File opened for modification	C:\Windows\System32\vds.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbengine.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\dllhost.exe	mscorsvw.exe
File opened for modification	C:\Windows\System32\alg.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\vssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	mscorsvw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\999de6093d2ec148.bin	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	aspnet_state.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	aspnet_state.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	mscorsvw.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	aspnet_state.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	aspnet_state.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	mscorsvw.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	mscorsvw.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{23077F0D-CA22-47FC-B673-706F05625B29}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	aspnet_state.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	aspnet_state.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{23077F0D-CA22-47FC-B673-706F05625B29}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	ehRecvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e02a487b1991da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{AFFFF535-F31D-4382-9745-57AEB7C962BC}	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200016 = "USA.gov"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{AFFFF535-F31D-4382-9745-57AEB7C962BC}	wmpnetwk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0c794771991da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe
2564	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2252	6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
Token: SeShutdownPrivilege	1672	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1672	mscorsvw.exe
Token: SeTakeOwnershipPrivilege	2564	aspnet_state.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1572	mscorsvw.exe
Token: SeShutdownPrivilege	1672	mscorsvw.exe
Token: SeShutdownPrivilege	1672	mscorsvw.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeSecurityPrivilege	2224	msiexec.exe
Token: SeBackupPrivilege	2548	vssvc.exe
Token: SeRestorePrivilege	2548	vssvc.exe
Token: SeAuditPrivilege	2548	vssvc.exe
Token: SeBackupPrivilege	1368	wbengine.exe
Token: SeRestorePrivilege	1368	wbengine.exe
Token: SeSecurityPrivilege	1368	wbengine.exe
Token: 33	2184	wmpnetwk.exe
Token: SeIncBasePriorityPrivilege	2184	wmpnetwk.exe
Token: SeManageVolumePrivilege	808	SearchIndexer.exe
Token: 33	808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	808	SearchIndexer.exe
Token: SeDebugPrivilege	2564	aspnet_state.exe
Token: SeDebugPrivilege	1572	mscorsvw.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
896	SearchProtocolHost.exe
896	SearchProtocolHost.exe
896	SearchProtocolHost.exe
896	SearchProtocolHost.exe
896	SearchProtocolHost.exe
896	SearchProtocolHost.exe
896	SearchProtocolHost.exe
896	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2764	1572	mscorsvw.exe	36
PID 1572 wrote to memory of 2764	1572	mscorsvw.exe	36
PID 1572 wrote to memory of 2764	1572	mscorsvw.exe	36
PID 1572 wrote to memory of 2764	1572	mscorsvw.exe	36
PID 1572 wrote to memory of 620	1572	mscorsvw.exe	37
PID 1572 wrote to memory of 620	1572	mscorsvw.exe	37
PID 1572 wrote to memory of 620	1572	mscorsvw.exe	37
PID 1572 wrote to memory of 620	1572	mscorsvw.exe	37
PID 1572 wrote to memory of 2868	1572	mscorsvw.exe	38
PID 1572 wrote to memory of 2868	1572	mscorsvw.exe	38
PID 1572 wrote to memory of 2868	1572	mscorsvw.exe	38
PID 1572 wrote to memory of 2868	1572	mscorsvw.exe	38
PID 1572 wrote to memory of 548	1572	mscorsvw.exe	39
PID 1572 wrote to memory of 548	1572	mscorsvw.exe	39
PID 1572 wrote to memory of 548	1572	mscorsvw.exe	39
PID 1572 wrote to memory of 548	1572	mscorsvw.exe	39
PID 1572 wrote to memory of 2160	1572	mscorsvw.exe	40
PID 1572 wrote to memory of 2160	1572	mscorsvw.exe	40
PID 1572 wrote to memory of 2160	1572	mscorsvw.exe	40
PID 1572 wrote to memory of 2160	1572	mscorsvw.exe	40
PID 1572 wrote to memory of 900	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 900	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 900	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 900	1572	mscorsvw.exe	41
PID 1572 wrote to memory of 2516	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2516	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2516	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2516	1572	mscorsvw.exe	42
PID 1572 wrote to memory of 2524	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 2524	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 2524	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 2524	1572	mscorsvw.exe	43
PID 1572 wrote to memory of 112	1572	mscorsvw.exe	44
PID 1572 wrote to memory of 112	1572	mscorsvw.exe	44
PID 1572 wrote to memory of 112	1572	mscorsvw.exe	44
PID 1572 wrote to memory of 112	1572	mscorsvw.exe	44
PID 1572 wrote to memory of 2380	1572	mscorsvw.exe	45
PID 1572 wrote to memory of 2380	1572	mscorsvw.exe	45
PID 1572 wrote to memory of 2380	1572	mscorsvw.exe	45
PID 1572 wrote to memory of 2380	1572	mscorsvw.exe	45
PID 1572 wrote to memory of 2304	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 2304	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 2304	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 2304	1572	mscorsvw.exe	46
PID 1572 wrote to memory of 1704	1572	mscorsvw.exe	47
PID 1572 wrote to memory of 1704	1572	mscorsvw.exe	47
PID 1572 wrote to memory of 1704	1572	mscorsvw.exe	47
PID 1572 wrote to memory of 1704	1572	mscorsvw.exe	47
PID 808 wrote to memory of 896	808	SearchIndexer.exe	67
PID 808 wrote to memory of 896	808	SearchIndexer.exe	67
PID 808 wrote to memory of 896	808	SearchIndexer.exe	67
PID 808 wrote to memory of 536	808	SearchIndexer.exe	68
PID 808 wrote to memory of 536	808	SearchIndexer.exe	68
PID 808 wrote to memory of 536	808	SearchIndexer.exe	68
PID 1572 wrote to memory of 860	1572	mscorsvw.exe	69
PID 1572 wrote to memory of 860	1572	mscorsvw.exe	69
PID 1572 wrote to memory of 860	1572	mscorsvw.exe	69
PID 1572 wrote to memory of 860	1572	mscorsvw.exe	69
PID 1572 wrote to memory of 920	1572	mscorsvw.exe	70
PID 1572 wrote to memory of 920	1572	mscorsvw.exe	70
PID 1572 wrote to memory of 920	1572	mscorsvw.exe	70
PID 1572 wrote to memory of 920	1572	mscorsvw.exe	70
PID 1572 wrote to memory of 2744	1572	mscorsvw.exe	71
PID 1572 wrote to memory of 2744	1572	mscorsvw.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe
"C:\Users\Admin\AppData\Local\Temp\6e44ec90c43677f604ca713c2aaa06eedbe6215266e4bbd7c6ecc1c1894e879e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2860

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1e0 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 1e0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 270 -NGENProcess 1f0 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 25c -NGENProcess 270 -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1d4 -NGENProcess 264 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 240 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 248 -NGENProcess 288 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 278 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 294 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 29c -NGENProcess 240 -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2ec -NGENProcess 2e8 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 24c -NGENProcess 244 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 290 -NGENProcess 288 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1748

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1144

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1468

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1836

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3004

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 584 588 596 65536 592
  2⤵
  - Modifies data under HKEY_USERS
  PID:536

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
ce8dabb146fe953cb3def5fa0146ca5a

SHA1
fb96b7d743961300df5b49cc0182c1956fc681c4

SHA256
404f53e3387888f146431acf69f494e8da3fe4105845a0544e451646e37a51c9

SHA512
fad324bdc0e6ec978a62ca86d9545b9692693ff64d6c7af25889b3264403641073fed8573a1066deacc091c2fa793c76c5b7a32beb814f776b551c39d5856c01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
7273f1a0e777083aced33fd15d59bf36

SHA1
61fd6ca80067d1e2274a805518a907c999987ba6

SHA256
65124319074ca02a7ccb15a21a5537b003280693af0961dc768d79df756583f1

SHA512
84daa73a1ecbc2a8089063f190a83d1d2b0e0609b3e46918b18565fe895635b36da1d5796fa081b283949564e91f01f8c6920dda4bebe453724dd30ecc85a307

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
b4afb1fd17455537694e5d81f67ccdad

SHA1
df4384aba638710e613dacd211971b45c4e2aacc

SHA256
c550d74d8b8bd41fa9eb6b4f9f581c77ce2dd393f09409e15c73f9b64406bee6

SHA512
88b66dec9854a834524c0032f9b42bfed75c03640758cb5e32dbb8cfbf620615063f4a5751e64ccb396ad5097acc954b7c468e512d904cdb5c74d713be062609

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
539076901db17b1359f0c89261eeb32e

SHA1
d628ef5c901bdd31a0e7010b016d1953759a30d4

SHA256
76ca805969f45e08d7afb99267c4f109a18a12ffb8ce3bb0e74300705b31db86

SHA512
35f2e1f37e31238b7afa481fc7fede254d3e7181cc003118704f72b85b5f17836b19d309add0945be45b15d95b679e46c76cc58fdf9966355a894cf58100bc43

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
29dc85ea8e5759a28ea4bc976854b6b5

SHA1
6977f070917f79df2e7a758b4fa69f57ee860344

SHA256
43cac2bdf475dfd0b0c11715a30ba19ca0457884aa9eed6ad1064ba2079f1bae

SHA512
047df03fe9cd0497c4ee2a58fa7f3fd02159cb47ea78a2658e200059caeece34567dd6ca5414c39a3593b04d153e36c604d272094acdb977585b0310dfd6517b

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
10b29ab6a20f00bfb34f115d114c9f3a

SHA1
12fe0187e6ad0382241bf272f4c876d5cfb84cda

SHA256
618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65

SHA512
8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
1a7d385d0d2e407f86497bf41bcd21eb

SHA1
88dd6a1ffe6ff02fabdad4d65a4a6a8fa7666de5

SHA256
a955e1ab7086991d20195532561142993305c44d712ef316848bf12e1f9a280a

SHA512
433da2783a3010bed3f2071c2dda48ddeb656c7e14a98ad63cf57d26d4a5b532d2d8d7e1d045a9033ab2c446244e7cfcb77db065509a0bf09f1cbc2f66f41f07

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
ddaa1187b2b6734e4a76a507757bfbef

SHA1
9334260fe47ddbbc2274dbb28dfccf00ad6a2a1c

SHA256
8c30f9ab65e4c30c1e4a63d20334b095216ae0661a64855248d91e496813fccb

SHA512
2b36833bd530f2016ae39a7dff7fc5d009988228969bec4c4ad50c2f8ce66edf8caa763bf5869ef311f0c000990926264f0c61d7a66df3be427f08cf4111e60b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
1efbedee91e7f056dc0be5a411ffc649

SHA1
3f70352549d42ffa86c20b76baa4971213f65472

SHA256
b21fcd310e1e3605b92a92503e0cf0a39f6d08025f595fc57a2e8b2bf4e38ac9

SHA512
576eeea96bf2e4e033216bfb795c635ba4bb7daf723b766b193b45c7fde4f2ea746cc4470c33e82b6dad9004cf70ff3caa58cfe937eb554d937a7a624487278b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
ec72636c75d399cac9e0c084cd10705e

SHA1
aa33d548366dfb81252563d6e07949ced36b50eb

SHA256
d4e81128b0dba373ac9b205c84e72a36230c75f2dc45290b7880767897142c27

SHA512
64421e76cbb48f16c95ce64f71bcb966fafa5b0723100ff279f02d7f78a3eca00c922073a0a295893ac45ad63281c819f4caee3977bdbb8e161f719b7bc94ec1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
3c55fb51c62ef213cea03a0e375cf56a

SHA1
9fd641b7e8cfff30a02473a7470873030b307027

SHA256
a902a0066750c44ed89b3f62656ffb731c970555d655456f53f77a3ae9476392

SHA512
387b3e495198cba7149c7ece09f5d9c49e2e246e4780f7fc4c8d24213ce7e12ea36cf84119f5e89818fea0f6ea97fcebe9867dfaafb06b2538b4992670b0a621

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
657d85d015bf2ee6ff732095ace0e869

SHA1
22da51753c694bb4ae509a5fd3d313d3e2def6c6

SHA256
9f865f294812a8b2498ccd7e0adab60cbe6071e583c53defac545e3090b8b7dd

SHA512
0c6ac6f1bbc76f6c063e2da03e7a6f86c0bb182de65b1b7a213ee85c1c9e5694225cdf546ba2e5d0cb5eacbf80e74f9819181f1ded4913761408f5524d2885d3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
7a5644a421044a05409fee179f20fb76

SHA1
1006bf84e138b0328cb9b7ca4bc1b9f4871254cf

SHA256
8dc70de550ae6c935e7acbf106c208295cef440f65f447298789b8a912aeb3a5

SHA512
ca618c588c103dc0fa66d12774b925fa901ad62a0faf4ad034a10ad4ba974542ccb3d08fb1112d8db50660dce05940d6d5aabc25b5c5013f7693bd4fd47b4121

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
c77598ab94cb1317d69fd990fea6ae00

SHA1
099527eac507bbd60aa9abac1a5b89d92c1126bf

SHA256
d9a17d466cfa2dfceb0b629792df8db1853dc5634e48c6cd29c685c6ef91f8f4

SHA512
57fbf727c12041e906e644f02ed66051b2792eebc9d20ba53a07dfb96c971c1d727e83949263446cac03509b0f4e9cf088fdc706d7409dd9e72d5b716a849054

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.1MB

MD5
208fb0bdd8b68a5f976a722e12b3fc32

SHA1
505b6c86f8527df9f828569b1e0ff4aa01b60968

SHA256
fdf9670c94e02004b099350a9154165d1ade28df29587d0dee524a0c99b30a83

SHA512
0e280c1d1dac56658ce64fb5a7d1c2e222ca736abeb9cfa37ae4544ca0dcd9c86c8e7b6c488264095631ff61e8177aec65979a7e7fdcc9a2d3a7703bfd1db5a6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
49d091935b6783258177518fb5b64665

SHA1
f4e0a7515258a70c1e5f48c97c5f039612100163

SHA256
1d20bdb9ef3b73e9b32a3b6834a575e5974fac80a1038a29bbda6b45a30bdea9

SHA512
30fc12f5054e1761bcf987e4a3666d6caadf5f50c90e8684eabb7b0b226a1d4a3d5bbf59449e591af7c9a6cc82bf647222452c89bc15f80fbfbfd5a673eda2c4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
00027757d0aa533c0c31b6d11f0815a8

SHA1
e8993007331fa68472eb577d579b0466709fcf0c

SHA256
928f5b1bafb264146ab6158373072ec6a814b979a7a8982b77bf2c4c42da0f52

SHA512
5a706c630c9246e4a91075283a3f3fffe4502fbc71eed696f999076e787958de3940bf974e209ce737147ef80f925e4717ba925766c211f4e10cb21c787de046

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
4375f72f7d9420521f3633f7e52e200e

SHA1
6dc5d6316f8bf46ffb15d7b84c2d72b2cdfb6980

SHA256
391935e9022018846555446c2fb298f1aff94fc701d1923c72c9b48e37bf2f33

SHA512
027fc18f69b98cdba3de6c27e6f00c7fab4722aec4ed8ec1f74a11077d2af74d09713d6c5f5351c20ae22ca50ce695b468d8fd94a101ebc1631abc2171d93a72

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
e2e367e3cbb121d5f3f0b267537edb90

SHA1
fa5f42016b70be24dd57d5f48519071fff41c6ea

SHA256
5c70e5ec42aa73cccc6f698cad3e2a3e060a3bf1c9efa79e85d4c035509b9df8

SHA512
dbfa4649f58c3111e88a9f60b3706ba6e03ae89194c58d1db16965340716acb443eabfe3b7020783fbed8b4e7d482847e062799e977f9be4de7b271cb80b550a

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
bee233314bd16a99ddaa6aa9d0680442

SHA1
22d04d77e247ca84bb0258afe44b88b8f66a4d07

SHA256
32683413604997496b6b0c90fa124d0170b2d29cb936e893d4e3a4020f035d96

SHA512
b6b89e15861b07d1447c59673516c704a19a14ec664771f3ed3877dd97bf80306877632390af034db32e91675008951d11073b7a19271450fc07b03aa05e7750

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
6e4b12d9e76b3127815ad045d484c8da

SHA1
9051a417f11f61d82715b5f71248c292dbf7320d

SHA256
d35dd5fb3c07773d3032ed2b7f13a3bebbdbb574d2b69c519cadc7da79b3d012

SHA512
112f1cdf1b88c869b2c6111fb22905c6ad9827bc31703ba1db9da8e36ef5d091bf0e7d8ee157f78a4afece82db38f91b2b6d7a7f3b3ea2fd959843745c54a31f

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
148846d0d85e1b6a42ee86a43f1855bd

SHA1
e035f47ec7156de08384b2de05675d944051edb6

SHA256
13a21ae1e53b00f7f048c007808bbf44f2a774e2bc1be752a35d7e9549e21531

SHA512
0d42e1a60a9e20194b569591e7c40d0055d4b5f4d4150cdea63bdcb9d8d3deb0805b73cbe65e139d76d2b56f36ddc55aac8f1dae9ba4439b134daa52b1d0b469

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
282dc0ce4e4235264b639a79315e170d

SHA1
2173c3f328656859115561deb57b06852d163bfc

SHA256
891d1b073f2d408cbe1a10e4479342e2e696b3baffdd95515b9dea4c34d368f9

SHA512
f050d536ffdf0d39db96ff4a1e6d84f8a307d1669b6e08ce19f0c353c2d5ca6ced07aef4db056bc915159711bbeed1c9934f0d5a513c45bbcb716e3b85e7d0a9

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
345fe354fc9f9f7327302e236d212ada

SHA1
b18d9ba1264d8ba17e43f66456dfe9103661420f

SHA256
cb124fe5bae8ebed7e0b4c77ff1c6875bdebc60405d501b56783b36182b9fec4

SHA512
403ddd4e6cb073e49e51986e9331ae15860ac8fb02a9aa12c5eaf62228aa1860ee54c881624a8144b791f19f6546a0217ac63f816fd7f89f7dbb1ac03e6ae484

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
554159865b0c21a2f6903bfc511f1d33

SHA1
4717e1c7845689aab912bdc95854434e9551bf62

SHA256
9b59f95ee8b222b675c569fa23b0806be48e2141fecf1defd074dba40c73b329

SHA512
817eed247cdae3c9628b57d2d3c713c12a8cc9bcf1e0f4439d91910cafee4b1e6105539af08d62aa65087f4c667a5b45c72581be4db997a7c248d5ec9e0dbbfc

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
5f5ecf793ad6cc499e9629cc15cf275b

SHA1
4a111e3d35e5c0b3fe2720307ebfd0f1a4e19eab

SHA256
44191aa88b6cf71b1b358d58c1d943d95a7d498922734423b19890315a73c2c8

SHA512
e2ffdd04f02e2f5f4f451099a3b0380b2312a0fb6d2af574931540fb600985acfd77a5cc60a09f65680bdb64a3427cb56e21d7fc8596c9f5cddc2a2f7bd47428

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
5c586aae9acbdb8048d3080e4076cf33

SHA1
7c49fdc4a43c17005a2602174ee2dde2eb254514

SHA256
4d2bc791e0046d00b165a8b4db7fdd5a3850895c2fb3fe9e26043a213c3f4189

SHA512
300c5ed0e06281695dd75815d15e43d09cb62c1417068fff299f2d342043878fc445be971c45b6713d3b2caad8c63f6bf2593f124b7759e3157c138f727fc638

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
4a4b466f7470bae774018d319512e9ac

SHA1
70a6e25e97897dcab72b513917d96c1d57371749

SHA256
f7268579795bfb7c77ccc1d4f507b0bd05a0a5e41f564016d75822712cfcb5af

SHA512
36e871ad758aa769332aeba50c8dfe692f7bd2d270a768214006896aecf22e117463a38c74448bdba8d4ec48c0373135e1407011f762fe1214068eae34ecd3d4

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
c4cb6ed03cb7a8042892b10b20eddff0

SHA1
6fe9c3c47497d3f062eacde6efe3d02e80209439

SHA256
e185850647882f352e60b653711f32619a57ed1e57b99505ec8a668590e44556

SHA512
b3b1a5893720b273a507dc82a518b5965c66a80abfb0b02c063125be7ed3f9c6d5ad142a65006be36ebe76dbe973a0d62ecc18a2f5a6b36543f095ab74988504

Download Submit
memory/112-262-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/112-254-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/112-259-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/548-202-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/548-178-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/548-185-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/548-193-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/620-155-0x00000000002A0000-0x0000000000307000-memory.dmp

Filesize
412KB

Download
memory/620-160-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/620-146-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/620-171-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/844-176-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/844-115-0x00000000003A0000-0x0000000000400000-memory.dmp

Filesize
384KB

Download
memory/844-119-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/900-231-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/900-212-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/900-207-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/900-216-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/900-232-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/1572-140-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1572-70-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1572-64-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1572-65-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/1672-87-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/1672-80-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/1672-81-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1672-154-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1748-168-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1748-102-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1748-110-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/1748-120-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1748-105-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1748-182-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1748-116-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1748-127-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1888-45-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1888-99-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1888-52-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1888-46-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1888-53-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2160-218-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2160-203-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-200-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2160-217-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-195-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2252-72-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2252-6-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2252-123-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2252-1-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/2252-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2380-265-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2516-247-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-233-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-246-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2516-221-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2516-227-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/2524-237-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-242-0x00000000004B0000-0x0000000000517000-memory.dmp

Filesize
412KB

Download
memory/2524-261-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2524-252-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2564-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2564-104-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2564-16-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2628-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2628-89-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2764-141-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-152-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-138-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2764-132-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2764-151-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-62-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2860-31-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2860-28-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2860-35-0x00000000002F0000-0x0000000000357000-memory.dmp

Filesize
412KB

Download
memory/2868-188-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-187-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-170-0x0000000000340000-0x00000000003A7000-memory.dmp

Filesize
412KB

Download
memory/2868-163-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-172-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download